How to configure CORS in a Spring Boot + Spring Security application?

by

Spring Security can now leverage Spring MVC CORS support described in this blog post I wrote.

To make it work, you need to explicitly enable CORS support at Spring Security level as following, otherwise CORS enabled requests may be blocked by Spring Security before reaching Spring MVC.

If you are using controller level @CrossOrigin annotations, you just have to enable Spring Security CORS support and it will leverage Spring MVC configuration: 

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and()...
    }
}

If you prefer using CORS global configuration, you can declare a CorsConfigurationSource bean as following:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and()...
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }
}

This approach supersedes the filter-based approach previously recommended.

You can find more details in the dedicated CORS section of Spring Security documentation.

More Related Contents:

  1. Spring security CORS Filter
  2. HTTP status code 401 even though I’m sending credentials in the request
  3. Spring Boot Security CORS
  4. Spring Boot CORS filter – CORS preflight channel did not succeed
  5. Why does my JavaScript code receive a “No ‘Access-Control-Allow-Origin’ header is present on the requested resource” error, while Postman does not?
  6. XMLHttpRequest cannot load XXX No ‘Access-Control-Allow-Origin’ header
  7. Enabling CORS in Cloud Functions for Firebase
  8. Request header field Access-Control-Allow-Headers is not allowed by Access-Control-Allow-Headers
  9. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  10. CORS – How do ‘preflight’ an httprequest?
  11. Angular2/Spring Boot Allow Cross Origin on PUT
  12. CORS error on same domain?
  13. Firefox ‘Cross-Origin Request Blocked’ despite headers [closed]
  14. Understanding AJAX CORS and security considerations
  15. How to disable ‘X-Frame-Options’ response header in Spring Security?
  16. Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response
  17. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  18. CORS – Is it a client-side thing, a server-side thing, or a transport level thing? [duplicate]
  19. Access to Image from origin ‘null’ has been blocked by CORS policy
  20. How to allow CORS in react.js?
  21. HTTP request from Angular sent as OPTIONS instead of POST
  22. Solve Cross Origin Resource Sharing with Flask
  23. Cross-domain connection in Socket.IO
  24. Spring Security: mapping OAuth2 claims with roles to secure Resource Server endpoints
  25. How to use multiple login pages one for admin and the other one for user
  26. Pushing data to Google spreadsheet through JavaScript running in browser
  27. socket.io, ‘Access-Control-Allow-Origin’ error
  28. XMLHttpRequest: Network Error 0x80070005, Access is denied on Microsoft Edge (but not IE)
  29. Slack incoming webhook: Request header field Content-type is not allowed by Access-Control-Allow-Headers in preflight response
  30. Disabling a filter for only a few paths

Leave a Comment